CVE-2022-36338

Name of the Vulnerable Software and Affected Versions Insyde InsydeH2O versions 5.0 through 5.5

Description An issue was discovered in Insyde InsydeH2O, where an SMM callout vulnerability in the SMM driver FwBlockServiceSmm leads to arbitrary code execution. This occurs when creating SMM, allowing an attacker to replace the pointer to the UEFI boot service GetVariable with a pointer to malware and then generate a software SMI.

Recommendations For versions 5.0 through 5.5, consider disabling the SMM driver FwBlockServiceSmm as a temporary workaround until a patch is available. Restrict access to the UEFI boot service GetVariable to minimize the risk of exploitation. Avoid using the GetVariable service in sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.